https://live.paloaltonetworks.com/t5/general-topics/auto-block-admin-quot-hammer-quot-attempts/m-p/18326#M13359 <HTML><HEAD></HEAD><BODY><P>I've been seeing stuff in the system log like the following:</P><P></P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote">User 'caitlen' failed authentication. Reason: Authentication profile not found for the user From: [some hacker in China's IP]. </PRE><P></P><P>There are a huge string of these, obviously it's reading through a dictionary and trying a bunch of accounts.</P><P></P><P>Is there any way to get the PAN to ignore the IP for some period of time after a certain number of failed authentication attempts?</P><P></P><P>I'm still using the default "Admin" account, is there a document anywhere that would allow me to tie Admin authentication to LDAP or RADIUS, and then am I able to disable the admin account completely?</P></BODY></HTML> Fri, 25 Feb 2011 19:27:48 GMT bradenmcg 2011-02-25T19:27:48Z https://live.paloaltonetworks.com/t5/general-topics/auto-block-admin-quot-hammer-quot-attempts/m-p/18326#M13359 <HTML><HEAD></HEAD><BODY><P>I've been seeing stuff in the system log like the following:</P><P></P><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote">User 'caitlen' failed authentication. Reason: Authentication profile not found for the user From: [some hacker in China's IP]. </PRE><P></P><P>There are a huge string of these, obviously it's reading through a dictionary and trying a bunch of accounts.</P><P></P><P>Is there any way to get the PAN to ignore the IP for some period of time after a certain number of failed authentication attempts?</P><P></P><P>I'm still using the default "Admin" account, is there a document anywhere that would allow me to tie Admin authentication to LDAP or RADIUS, and then am I able to disable the admin account completely?</P></BODY></HTML> Fri, 25 Feb 2011 19:27:48 GMT https://live.paloaltonetworks.com/t5/general-topics/auto-block-admin-quot-hammer-quot-attempts/m-p/18326#M13359 bradenmcg 2011-02-25T19:27:48Z https://live.paloaltonetworks.com/t5/general-topics/auto-block-admin-quot-hammer-quot-attempts/m-p/18327#M13360 <HTML><HEAD></HEAD><BODY><P>Hi Braden,</P><P></P><P>You might consider disabling HTTPS and SSH admin access to your device through any of the external L3 interfaces, if possible and only use the out-of-band management interface.&nbsp; Make sure the management interface is behind the firewall and is does not have a publicly routeable or NAT'ed address.&nbsp; If it must be accessible externally, you might consider configuring a security policy that protects the management port with a Vulnerability Protection Profile to help block intrusion attempts.&nbsp; In the 4.0 release you can also enable a "block-ip" action for vulnerability signatures of your choice.</P><P></P><P>Also, look into configuring specific "permitted IP&nbsp; addresses" on an Interface Management Profile and attaching it to your L3 interface, or configuring permitted IP's on your out-of-band management interface.</P><P></P><P>Cheers,</P><P></P><P>Kelly</P></BODY></HTML> Sat, 26 Feb 2011 00:46:16 GMT https://live.paloaltonetworks.com/t5/general-topics/auto-block-admin-quot-hammer-quot-attempts/m-p/18327#M13360 kbrazil 2011-02-26T00:46:16Z